Desktop apps interoperability
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 28 13:36:32 UTC 2005
On Mon, 2005-03-28 at 11:04 +0100, Luke Kenneth Casson Leighton wrote:
> On Sun, Mar 27, 2005 at 11:57:35PM -0500, Ivan Gyurdiev wrote:
>
> > There can't be more than one file_type_auto_trans on the same folder
> > type (right?).
>
> bizarrely, no.
>
> i believe this issue was raised some months ago, with the
> "alternative file context" thing.
>
> if file_type_auto_trans also took an executable [domain] as an
> additional argument, i believe you stand a chance of achieving
> what you seek.
file_type_auto_trans() is based on the domain of the creating process,
the type of the parent directory, and optionally the class of the new
file. Hence, you can specify different types on the same "folder" type
as long as the programs run in different domains. If instead both
programs run in the same domain and are acting on the same directory
type and creating the same class of file, you have to make the program
security-aware if you want to use multiple types on the files (or
similarly, if you have a single program that creates multiple files in
the same directory and you want them to have different types, the
program needs to be security-aware, as with the /etc/passwd
and /etc/shadow type preservation issue).
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list